Recently, I've undertaken the task of PCI Compliance for several servers I
manage. One of the recurring recommendations is to disable TLS 1.0 in favor
of TLS 1.1/1.2.
The good news.. Disabling TLS 1.0 on a group of servers is super easy using
Ansible! Sadly, one of the side effects of disabling is that the WinRM
connection in my Ansible scripts becomes completely broken afterward. After
disabling, connecting to Windows servers results in the following error:
fatal: [10.0.20.20]: FAILED! => {"failed": true, "msg": "ERROR! ssl: 500
WinRMTransport. [Errno 54] Connection reset by peer"}
Re-enabling TLS 1.0 will correct the issue, but obviously it's not ideal
and I'm wondering what can be done.. So, some questions:
1. Is TLS 1.0 required in Windows, or is it something in pywinrm package?
2. If TLS 1.0 must be used, is there an interim solution where it can be
disabled for IIS (port 443) only? The only solutions I have found online
disable it in the SCHANNEL/Protocols registry key, which then disables it
system-wide in Windows
3. Has anyone run into this problem or discovered another workaround?
Thanks, looking forward to discussing!
-chris
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/87a30cf1-30c9-4c25-a45f-13e6e13cf64b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
